sassoftware · deshmukhvidya · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
diff --git a/.pre-commit-config_template.yaml → .pre-commit-config.yaml b/.pre-commit-config_template.yaml → .pre-commit-config.yaml
diff --git a/Dockerfile b/Dockerfile
@@ -16,9 +16,9 @@ RUN yum -y install git openssh jq which \
   && curl -sLO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl \
   && chmod 755 ./kubectl /viya4-iac-aws/docker-entrypoint.sh \
   && mv ./kubectl /usr/local/bin/kubectl \
-  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws \
   && git config --system --add safe.directory /viya4-iac-aws \
-  && terraform init
+  && terraform init \
+  && chmod g=u -R /etc/passwd /etc/group /viya4-iac-aws
 
 ENV TF_VAR_iac_tooling=docker
 ENTRYPOINT ["/viya4-iac-aws/docker-entrypoint.sh"]

diff --git a/examples/sample-input-nist.tfvars b/examples/sample-input-nist.tfvars
@@ -0,0 +1,164 @@
+# !NOTE! - These are only a subset of the variables in CONFIG-VARS.md provided
+# as examples. Customize this file to add any variables from CONFIG-VARS.md whose
+# default values you want to change.
+
+# ****************  REQUIRED VARIABLES  ****************
+# These required variables' values MUST be provided by the User
+prefix   = "testindev"
+location = "us-east-1" # e.g., "us-east-1"
+# ****************  REQUIRED VARIABLES  ****************
+
+# !NOTE! - Without specifying your CIDR block access rules, ingress traffic
+#          to your cluster will be blocked by default.
+
+#***************** CIDR Range for Spoke VPC **************
+
+vpc_cidr     = "10.80.16.0/22"
+hub          = "<hub_value>"
+hub_environment = "<environment>"  #  dev or prod
+
+
+ org_id = "<org_id>"
+ central_restore_operator = "arn:aws:iam::<account_id>:role/<role_name>"
+ central_backup_operator = "arn:aws:iam::<account_id>:role/<role_name>"
+ central_backup_vault_us = "arn:aws:iam::<account_id>:role/<role_name>"
+ central_backup_vault_eu = "arn:aws:iam::<account_id>:role/<role_name>"
+ central_logging_bucket =  "<bucket_arn>"  
+ core_network_id = "<core_network_id>"
+ core_network_arn = "<core_network_arn>"
+
+
+
+
+# ********* Set to true to enable NIST complaint code ***********
+enable_nist_features = true
+backup_account_id = "<backuo_account_id>"
+logging_account = "<logging_account_id>"
+
+#***************** Additional CIDR ranges for Spoke VPC *************
+
+additional_cidr_ranges = ["10.88.4.0/24", "10.89.1.0/26", "10.90.0.128/27", "10.91.0.128/27"]
+
+subnets = {
+  "private" : ["10.80.16.0/23"],
+  "control_plane" : ["10.90.0.128/28", "10.90.0.144/28"], # AWS recommends at least 16 IP addresses per subnet
+  "public" : ["10.89.1.0/27", "10.89.1.32/27"],
+  "database" : ["10.88.4.0/25", "10.88.4.128/25"],
+  "eni" : ["10.91.0.128/28", "10.91.0.144/28"]
+}
+
+# **************  RECOMMENDED  VARIABLES  ***************
+default_public_access_cidrs = [] # e.g., ["123.45.6.89/32"]
+ssh_public_key              = "~/.ssh/id_rsa.pub"
+# **************  RECOMMENDED  VARIABLES  ***************
+
+# Tags for all tagable items in your cluster.
+tags = {} # e.g., { "key1" = "value1", "key2" = "value2" }
+
+# Postgres config - By having this entry a database server is created. If you do not
+#                   need an external database server remove the 'postgres_servers'
+#                   block below.
+postgres_servers = {
+  default = {
+      "storage_encrypted": true,
+      "deletion_protection": true,
+      "multi_az": true
+},
+}
+
+## Cluster config
+kubernetes_version           = "1.29"
+default_nodepool_node_count  = 2
+default_nodepool_vm_type     = "m5.2xlarge"
+default_nodepool_custom_data = ""
+
+## General
+efs_performance_mode = "maxIO"
+storage_type          = "ha"
+storage_type_backend  = "ontap"
+enable_efs_encryption = true
+
+# Jump Server
+create_jump_vm = true
+##### NIST Enablement####
+
+create_public_ip      = false ### Set false if enable_nist_feature is set to true
+create_jump_public_ip = false ### Set false if enable_nist_feature is set to true
+enable_ebs_encryption = true
+
+#template_s3_uri       = "s3://sascloud-awsng-conformance-pack/Operational-Best-Practices-for-NIST-800-53-rev-5.yaml"
+conformance_pack_name = "Operational-Best-Practices-for-NIST-800-53-rev-5"
+spoke_account_id         = "<aws_account_id>"
+
+## Cluster Node Pools config
+node_pools = {
+  cas = {
+    "vm_type"      = "i3.8xlarge"
+    "cpu_type"     = "AL2_x86_64"
+    "os_disk_type" = "gp2"
+    "os_disk_size" = 200
+    "os_disk_iops" = 0
+    "min_nodes"    = 1
+    "max_nodes"    = 5
+    "node_taints"  = ["workload.sas.com/class=cas:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "cas"
+    }
+    "custom_data"                          = "./files/custom-data/additional_userdata.sh"
+    "metadata_http_endpoint"               = "enabled"
+    "metadata_http_tokens"                 = "required"
+    "metadata_http_put_response_hop_limit" = 1
+  },
+  compute = {
+    "vm_type"      = "m5.8xlarge"
+    "cpu_type"     = "AL2_x86_64"
+    "os_disk_type" = "gp2"
+    "os_disk_size" = 200
+    "os_disk_iops" = 0
+    "min_nodes"    = 1
+    "max_nodes"    = 5
+    "node_taints"  = ["workload.sas.com/class=compute:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class"        = "compute"
+      "launcher.sas.com/prepullImage" = "sas-programming-environment"
+    }
+    "custom_data"                          = ""
+    "metadata_http_endpoint"               = "enabled"
+    "metadata_http_tokens"                 = "required"
+    "metadata_http_put_response_hop_limit" = 1
+  },
+  stateless = {
+    "vm_type"      = "m5.4xlarge"
+    "cpu_type"     = "AL2_x86_64"
+    "os_disk_type" = "gp2"
+    "os_disk_size" = 200
+    "os_disk_iops" = 0
+    "min_nodes"    = 1
+    "max_nodes"    = 5
+    "node_taints"  = ["workload.sas.com/class=stateless:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "stateless"
+    }
+    "custom_data"                          = ""
+    "metadata_http_endpoint"               = "enabled"
+    "metadata_http_tokens"                 = "required"
+    "metadata_http_put_response_hop_limit" = 1
+  },
+  stateful = {
+    "vm_type"      = "m5.4xlarge"
+    "cpu_type"     = "AL2_x86_64"
+    "os_disk_type" = "gp2"
+    "os_disk_size" = 200
+    "os_disk_iops" = 0
+    "min_nodes"    = 1
+    "max_nodes"    = 3
+    "node_taints"  = ["workload.sas.com/class=stateful:NoSchedule"]
+    "node_labels" = {
+      "workload.sas.com/class" = "stateful"
+    }
+    "custom_data"                          = ""
+    "metadata_http_endpoint"               = "enabled"
+    "metadata_http_tokens"                 = "required"
+    "metadata_http_put_response_hop_limit" = 1
+  }
+}
diff --git a/kms.tf b/kms.tf
@@ -0,0 +1,61 @@
+
+# ####### Create CMK for each resource #################
+data "aws_caller_identity" "current" {}
+
+resource "aws_kms_key" "cmk" {
+  for_each = {
+    for key in keys(local.key_names) :
+    key => key if var.enable_nist_features && (
+      key == "rds_key" ||
+      key == "ebs_key" ||
+      (key == "efs_key" && var.storage_type_backend == "efs") ||
+      (key == "fsx_key" && var.storage_type_backend == "ontap")
+    )
+  }
+  description             = "KMS key for ${each.value}"
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+  tags                    = local.tags
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Id" : "${each.value}-policy", # Unique identifier for the policy
+    "Statement" : [
+      {
+        "Sid" : "Allow access through ${each.key} for all principals in the account",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : [
+            "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+            "arn:aws:iam::${var.backup_account_id}:root"
+          ]
+        },
+        "Action" : "kms:*",
+        "Resource" : "*"
+      },
+      {
+        "Sid" : "Allow direct access to key metadata to the account",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        "Action" : [
+          "kms:Describe*",
+          "kms:Get*",
+          "kms:List*",
+          "kms:RevokeGrant"
+        ],
+        "Resource" : "*"
+      }
+    ]
+  })
+}
+
+
+
+resource "aws_kms_alias" "cmk" {
+  for_each      = var.enable_nist_features ? { for key in keys(local.key_names) : key => key if contains(keys(aws_kms_key.cmk), key) } : {}
+  name          = "alias/${local.key_names[each.key]}"
+  target_key_id = aws_kms_key.cmk[each.key].key_id
+}
+
+
diff --git a/locals.tf b/locals.tf
@@ -46,6 +46,8 @@ locals {
   private_subnet_azs       = can(var.subnet_azs["private"]) ? var.subnet_azs["private"] : data.aws_availability_zones.available.names
   database_subnet_azs      = can(var.subnet_azs["database"]) ? var.subnet_azs["database"] : data.aws_availability_zones.available.names
   control_plane_subnet_azs = can(var.subnet_azs["control_plane"]) ? var.subnet_azs["control_plane"] : data.aws_availability_zones.available.names
+  # ENI subnets as per AWS NG architecture
+  eni_subnet_azs = can(var.subnet_azs["eni"]) ? var.subnet_azs["eni"] : data.aws_availability_zones.available.names
 
   ssh_public_key = (var.create_jump_vm || var.storage_type == "standard"
     ? file(var.ssh_public_key)
@@ -180,4 +182,42 @@ locals {
     }
   } : {}
 
+  ####### Create and associate KMS keys only if NIST code is enabled ######
+  key_names = {
+    "rds_key" = "${var.prefix}-rds-key"
+    "fsx_key" = "${var.prefix}-fsx-key"
+    "efs_key" = "${var.prefix}-efs-key"
+    "ebs_key" = "${var.prefix}-ebs-key"
+  }
+
+  kms_keys = {
+    for key in keys(local.key_names) :
+    key => aws_kms_key.cmk[key].arn
+    if contains(keys(aws_kms_key.cmk), key)
+  }
+
+  ####### Fetching EFS and FSx id for alarm creation ######
+
+  fsx_id = var.storage_type_backend == "ontap" ? aws_fsx_ontap_file_system.ontap-fs[0].id : null
+  efs_id = var.storage_type_backend == "efs" ? aws_efs_file_system.efs-fs[0].id : null
+
+  ####### Postgres NIST enhancements ######
+
+  copy_tags_snapshot               = var.enable_nist_features == true ? true : false
+  rds_enhanced_monitoring          = var.enable_nist_features == true ? module.monitoring_role.rds_monitoring_role : null
+  rds_storage_encryption           = var.enable_nist_features == true ? true : false
+  rds_monitoring_interval          = var.enable_nist_features == true ? 30 : 0
+  rds_performance_insight          = var.enable_nist_features == true ? true : false
+  rds_performance_retention_period = var.enable_nist_features == true ? 7 : 0
+
+  ###nist-resource-chcker
+  bucket_exists   = try(module.resource_checker[0].bucket_external["exists"], "false")
+  waf_exists      = try(module.resource_checker[0].waf_external["exists"], "false")
+  waf_arn         = try(module.resource_checker[0].waf_external["arn"], "")
+  backup_exists   = try(module.resource_checker[0].backup_external["exists"], "false")
+  backup_arn      = try(module.resource_checker[0].backup_external["arn"], "")
+  analyzer_exists = try(module.resource_checker[0].analyzer_external["exists"], "false")
+  analyzer_arn    = try(module.resource_checker[0].analyzer_external["arn"], "")
+
+
 }